LiteLLM SQL injection exploited
- Attackers began probing LiteLLM’s critical SQL-injection flaw on April 26, just 36 hours after GitHub indexed advisory GHSA-r75f-5x8p-qvmc globally. - The bug let unauthenticated requests reach LiteLLM’s database through an Authorization header, exposing API keys, provider credentials and environment configuration. - LiteLLM patched affected versions 1.81.16 through 1.83.6 in 1.83.7 after the April 20 disclosure. (github.com)
LiteLLM is a gateway that sits between an app and models from OpenAI, Anthropic and other providers, so one service often holds many customers’ keys and routing rules. (sysdig.com) (github.com) GitHub’s advisory says LiteLLM mixed the caller’s Authorization bearer token directly into a database query during proxy API-key checks. That mistake created a pre-authentication SQL injection: an attacker could reach the database before logging in. (github.com) The affected Python package versions were 1.81.16 through 1.83.6, and the fix shipped in 1.83.7. GitHub published the maintainer advisory on April 20, 2026, and indexed it in the global GitHub Advisory Database on April 24. (github.com) Sysdig said it saw the first exploitation attempt on April 26, 2026, at 04:24 UTC — 36 hours and seven minutes after the advisory hit GitHub’s global database. The company said the activity looked targeted, not like a broad automated spray. (sysdig.com) Sysdig said the attacker ran 17 UNION-based payloads and focused on three database tables: virtual API keys, stored provider credentials and environment-variable configuration. Those are the records that can let one gateway unlock multiple upstream AI accounts. (sysdig.com) The company said it did not observe authenticated follow-on use of stolen keys, virtual-key creation through `/key/generate`, or confirmed reuse of provider credentials. The reported incident was an observed exploitation attempt and schema-enumeration campaign, not a confirmed downstream cloud compromise. (sysdig.com) GitHub rated the flaw critical with a CVSS score of 9.3 and said an unauthenticated attacker could read data and might be able to modify it. The advisory’s workaround, for teams that could not patch immediately, was to set `disable_error_logs: true` under `general_settings`. (github.com) The episode shows what an AI gateway actually concentrates in one place: prompts, logs, API keys, provider credentials and policy logic. When that broker is exposed on a network port, a single bug can turn a convenience layer into a secrets vault under attack. (sysdig.com) (github.com) For LiteLLM users, the immediate checklist is narrow and dated: upgrade to 1.83.7 or later, look for suspicious requests beginning April 26, and review any database-resident keys or provider credentials that the proxy stored. (github.com) (sysdig.com)
